TI9 and the Acronis Secure Zone

I am trying to understand the logic and practical implications of using the TI9 Acronis Secure Zone functionality.

1. Reason for using the Acronis Secure Zone (ASZ)

The only practical reasons that I can see to use the ASZ is to enable the Acronis Startup Recover Manager and the Acronis Snap Restore. Is there any other reason to implement the ASZ?

2. Benefits of using the Acronis Startup Recovery Manager (ASRM)

What are the benefits of using the ASRM? Why not just boot from the TI9 CD? What functionality does the ASRM provide that is not provided when booting from the TI9 CD?

3. Location of the ASZ

Common sense dictates that the ASZ should always be located on a different disk to the system. Understandably this disk should be part of the local system and not a network drive. But must the ASZ be located on an Internal Disk or can it be located on an External USB drive? (The documentation isn't very clear about this, it just refers to a "local disk").

4. The ASRM and the Master Boot Record (MBR)

The ASRM must be activated before it can be used. When a user activates the ASRM it overwrites the MBR with Acronis proprietary code. Which MBR does it overwrite? The MBR on the System Disk or the MBR on the disk where the ASZ is located?

5. Risks in using the ASRM

Overwriting the MBR is a risky business. If this process goes wrong the disk may become unusable and might need to be reformatted. How does Acronis deal with such an eventuality?

6. 3rd-party Boot Manager

If the user has a 3rd-party Boot Manager installed on the System Disk (by default the Windows BootLoader will always be installed) then that Boot Manager (or the Windows BootLoader) will become inoperative because it will no longer recognise the MBR. Must the user now reinstall the Boot Manager? If the user installs or reinstalls a Boot Manager AFTER activating the ASRM the MBR will once again be overwritten with the proprietary code of the Boot Manager application. What happens now if the user boots using the ASRM? The MBR will now contain the code of the Boot Manager and not the Acronis code. Will the ASRM boot? If "yes" how is this possible and why does the ASRM overwrite the MBR in the first place. If "no" then what happens?

7. ASZ on Disk_2

Assume that on Disk_2 the user has several partitions containing data. The disk also has an additional partition containing the Acronis Secure Zone.

Assume also that Disk_1 (the System Disk) fails. The user now boots using the ASRM. Where does the ASRM look for the MBR? It won't find it on Disk_1 because that disk has failed. Therefore logic dictates that the Acronis proprietary MBR must be located on the same disk as the ASZ - in this case Disk_2.

Disk_2 would have initially not had an MBR because it was simply a data disk. When the user activated the ASRM the Acronis proprietary MBR was written to this disk. What are the implications for doing this? How high are the risks? What are the risks?

8. System Disk Failure

Assume that the System Disk fails. The user has a ASZ setup on Disk_2. The user removes the failed disk and replaces it with a new disk. The user now boots the system using the ASRM. How will the user reconstruct the failed System Disk to the new disk while ensureing that the new disk geometry matches the Partition Table that is contained within the system image?

I will not try to answer all your points but just to say why I find the secure zone the best place for storing my first line of defence backups. On a slave drive there is only a marginal increase in security using the zone but it has the great advantage of being self managing on the FIFO basis. So once one has decided on the size of the zone and set up a simple backup task schedule a user's involvement is no longer required. Backups happen automatically in the background and the zone will always have "n" images of the most recent backups in date and time order.
I am not really concerned with the design logic behind the secure zone ,though my understanding is that it was originally intended to be a place where images could be kept by users who only had one drive and no external media.
I can see no merit in using the ASRM though I am sure some users find it helpful. The fact that it alters the MBR should be of no great concern as it is simple to put things back to where they were if one reads the manual and there are also recognised Windows methods available for those who don't bother.

1 - You only have 1 hard drive available.
2 – Don’t have to search for the CD.
3 – See response to #1.
4 – AFAIK it’s the MBR from which the system boots.
5 – Now backs up the MBR with partition images.
6 – Never used one.
7 – Again, see #1.
8 – See above.

While the automatic deletion of image files following the FIFO rule may be convenient to some (scheduling) users, the Secure Zone prevents building an additional level of security by copying the occasional important image to another storage. Or managing the image files in any way, other than automatic FIFO.

The activation of Startup Recovery Manager, besides modifiying the MBR, takes away the option to boot into Windows Safe mode by means of F8.

2.What are the benefits of using the ASRM? Why not just boot from the TI9 CD? What functionality does the ASRM provide that is not provided when booting from the TI9 CD?

Click to expand...

Acronis True Image bootable rescue CD includes the functionality of Acronis Startup Recovery Manager. However, if you do not want to use the bootable rescue media, you just can press F11 when you boot your computer and use Acronis True Image in rescue mode.

Common sense dictates that the ASZ should always be located on a different disk to the system. Understandably this disk should be part of the local system and not a network drive. But must the ASZ be located on an Internal Disk or can it be located on an External USB drive? (The documentation isn't very clear about this, it just refers to a "local disk").

Click to expand...

We do not recommend creating the Acronis Secure Zone on an external drive. If you activate Acronis Startup Recovery Manager and then for some reason disconnect the drive Acronis Secure Zone resides on, your computer may boot with a long delay or not boot at all. You will need to either reconnect the drive with the Acronis Secure Zone or fix the master boot record (MBR). Please take a look at this FAQ article.

The ASRM must be activated before it can be used. When a user activates the ASRM it overwrites the MBR with Acronis proprietary code. Which MBR does it overwrite? The MBR on the System Disk or the MBR on the disk where the ASZ is located?

Click to expand...

Acronis Startup Recovery Manager overwrites Master Boot Record on the System Disk.

Overwriting the MBR is a risky business. If this process goes wrong the disk may become unusable and might need to be reformatted. How does Acronis deal with such an eventuality?

Click to expand...

In this case, we recommend you to repair the MBR of the hard disk using one of the following methods:

6. 3rd-party Boot Manager
If the user has a 3rd-party Boot Manager installed on the System Disk (by default the Windows BootLoader will always be installed) then that Boot Manager (or the Windows BootLoader) will become inoperative because it will no longer recognise the MBR.

Click to expand...

Please note that it depends on the Boot Manager peculiarities. If you use Windows boot manager, Acronis Startup Recovery Manager does not affect it.

If you use Linux based boot loader and you want to use Acronis Startup Recovery Manager, you should install boot loader to the boot partition.

If you activate Acronis Startup Recovery Manager on the computer where Acronis OS Selector is installed, Acronis OS Selector will function without any problems and recognize Acronis Startup Recovery Manager as the additional option.

ASZ on Disk_2

Click to expand...

As I said above, Acronis Startup Recovery Manager overwrites MBR on System Disk (Disk 1). When you boot the computer using F11 option, the MBR references to the Disk 2 where Acronis Secure Zone is located. If your Disk 1 has failed but MBR is not corrupted, you will be able to load Acronis True Image. If your MBR is corrupted, we recommend you to use the bootable rescue media to restore the image.

System Disk Failure

Assume that the System Disk fails. The user has a ASZ setup on Disk_2. The user removes the failed disk and replaces it with a new disk. The user now boots the system using the ASRM. How will the user reconstruct the failed System Disk to the new disk while ensureing that the new disk geometry matches the Partition Table that is contained within the system image?

Click to expand...

I'm afraid that if you remove the failed disk, you will not be able to boot the computer using Acronis Startup Recovery Manager. In this case, you need to use the bootable rescue media to boot the computer, restore the image to the new hard drive and activate Acronis Startup Recovery Manager once again if you want.

You can find more information on how to use Acronis True Image 9.0 Home in the respective User's Guide.

Thanks to all who responded and particularly Tatyana of Acronis Support for a very detailed and informative reply.

This thread contains some very relevant and important material and forms a good supplement to the appropriate section in the User Guide. Here is a summary of some of the important points to consider BEFORE implementing the Acronis Secure Zone (ASZ) and Acronis Startup Recovery Manager (ASRM).

1. Points from Thread

* Booting from the TI9 CD provides the same functionality as the ASRM but with one very big advantage - booting from the CD does not require any changes to be made to the Master Boot Record (MBR) and is therefore a preferred option in most situations.

* If the System Disk fails due to an electrical or mechnical fault, or if the MBR on the System Disk is corrupted, the ASRM will not function even if the ASZ is on another disk. The user will still need to boot from the TI9 CD or some other bootable media.

* A large number of PC's are purchased through Original Equipment Manufacturers (OEM's). The "Windows" CD supplied by an OEM with a PC is often proprietary to that specific OEM and usually contains only a subset of Windows functionality. Importantly, many OEM "Windows" CD's do not include the Recovery Console which means that if the MBR is corrupted the user cannot boot into Recovery Console and run "fixmbr".

* Thanks to bVolk for pointing out that the ASZ and ASRM functionality removes the Windows Safe Mode F8 boot option. (Note for Acronis Support - this should be made clear in the User Guide). Safe Mode is possibly one the least understood Windows utilities. Safe Mode is a very powerful tool that is absolutely indispensible in many critical situations. I would never recommend to a customer that they install any type of utility that removes the ability to boot into Safe Mode. In my view this alone eliminates the ASZ and ASRM as a viable option in most situations.

* The ASRM will work with Acronis Disk Director and the Windows boot mechanism but may not work with other boot loaders.

2. Summary

If a system has more than one disk and has a CD drive then there is no benefit in setting up the Acronis Secure Zone and activating the Acronis System Recovery Manager.

If a system has only one disk and no CD drive then the ASZ and ASRM provides functionality that may enable such a system to be booted in the event of a failure. However, whether such a system is bootable depends on the nature of the failure.

3. Conclusion

The ASZ and ASRM are not appropriate for most installations and should only be implemented in very special circumstances and then only if the benefits outweigh the risks.

Thanks Xpilot for your feedback. You seem to have found a good use for the ASZ, that possibly other users may find helpful. It may be of benefit to others if you detailed how you use the ASZ either in this thread or in a new thread.

However, in terms of how Acronis intended the ASZ to be used, it is in my view, functionality that is not appropriate for most installations. Acronis Support have stated that the ASZ should only be setup if the user intends to implement the Acronis Startup Recovery Manager and the Acronis Snap Restore. If the user has no intention of using this functionality then there is no purpose in setting up the ASZ.

Another factor to take into account is that external disks are becoming increasingly popular for storing backups. Particularly the option of purchasing an inexpensive disk and locating it in an external housing is a very cost-effective option. Acronis Support recommend that the ASZ should not be located on an external disk, so this in itself is a limiting factor.

Rather than having to set up a special partition, or create post-command fiels to rename or delete backups to keep them in order and prevent excess accumulation, it would be really nice to be able to tell ATI to do that, to append a suffix serially to backups and whenit get to X, start over at 1, overwriting the existing file, if any.

Also worth mentioning is that on an ATI upgrade it corrupted my secure zone. Or rather the part of the secure zone that contains the recovery manager files (I assume the actual backup image was intact, though I don't know that for a fact). I got a "partition not bootable" or similar error message instead of the "Press F11 for recovery manager" prompt. Windows booted fine though, and once I went through the startup recovery activation wizard again the recovery manager was back in shape too.

I must admit I actually perform a full backup to an external drive before I dare upgrade ATI. It's a great product when it works, but I do not trust anything in it apart from the core functionality of creating and restoring a full image. That includes its ability to upgrade itself without killing my entire machine.

Thanks Xpilot for your feedback. You seem to have found a good use for the ASZ, that possibly other users may find helpful. It may be of benefit to others if you detailed how you use the ASZ either in this thread or in a new thread.

However, in terms of how Acronis intended the ASZ to be used, it is in my view, functionality that is not appropriate for most installations. Acronis Support have stated that the ASZ should only be setup if the user intends to implement the Acronis Startup Recovery Manager and the Acronis Snap Restore. If the user has no intention of using this functionality then there is no purpose in setting up the ASZ.

Another factor to take into account is that external disks are becoming increasingly popular for storing backups. Particularly the option of purchasing an inexpensive disk and locating it in an external housing is a very cost-effective option. Acronis Support recommend that the ASZ should not be located on an external disk, so this in itself is a limiting factor.

Click to expand...

OK,
This is how I use the Secure Zone. It is set up on a slave drive that is mounted in my PC. It is large enough to hold ten whole main drive images. Images are created while Windows is running. The imaging process is started automatically by the Acronis Task schedule manager. I have chosen that the task is run daily. The main advantages of this way of using the secure zone is that the backups run automatically with no user input, they are managed on the FIFO basis and they are out of harm's way.
I am aware that this is not the way that the SZ was designed to be used but as they say "So what" I think the way I have found is extremely useful.
I used to follow the thinking that external disks were the way to go and till recently USB drives were part of my backup stratergy as a second line of defence after the secure zone. But now I have found a better way !
I will set out the main advantages:- It is no longer necessary to validate images. The process is much quicker than using external drives. DVDs stay next to the TV/Hi FI where they belong). The hardware costs are less than external drives. Restores are virtually instantanious.

The hardware change is to install a Caddy rack in the PC. this caddy drawer holds the main hard drive and another hard drive is kept ready in another Caddy drawer.
The method of working is simplicity itself. After an automatic backup image has completed the computer is re-booted from the rescue CD having swapped the main drives over. A restore is then run and after it has completed re-boot and you are done.
So one is left with a population of fully PROVEN backup images, a freshly restored hard drive in the computer and another up to date copy hard drive safe in its Caddy drawer. When a disaster strikes one just has to swap hard drives over and that is it job done.
NB. At no time is the lengthly and sometimes difficult cloning process used. Imaging and restore can be much quicker and as no validation is needed even more time is saved.
Now I am certain that the idea of doing a restore in advance was not in the mind of Acronis when they designed True Image but I have not let that stop me :-0
I believe that this method of working using the best parts of TI and ignoring the rest is hard to beat.

I apologise for repeating a lot of the content of a previous post of mine but I think the above detail explains my methodolgy more clearly.